I was under the impression that the FormHelper not only automatically protects me from SQL injection, but also per default escapes special characters like the HtmlHelper does. However, when I have:
<?php echo $this->Form->input('field', array('escape' => true)); ?>
And then enter & and ' for example into the field and hit save. These special characters get saved to the database without any escaping. This also happens without setting the option escape to true. So my question follows.
Is it true the CakePHP is designed so that you are not supposed nor able to escape a form field before saving using the options for the FormHelper? Or am I doing something wrong?
